Time is almost up. If your site is still running over HTTP – you need to get SSL.
As we say goodbye to 2017 and look ahead to the new year, there should be one word on everyone’s mind: encryption.
2018 will be the year of encryption, the browsers began pushing the web towards encrypted HTTPS connections in earnest last year. Starting in January with Google and Mozilla updating their browsers’ UI and beginning to mark HTTP sites with password fields, “Not Secure.”
This past Fall, the warnings ramped up again and the browsers now issue a warning for any HTTP page with a text field.
And that’s all building up to this Spring, when the browsers will begin actively marking ANY HTTP website as “Not Secure.”
Let me say that again, if you head into the Summer without installing an SSL certificate on your website and migrating to HTTPS, then your website WILL be marked “Not Secure.”
Of course, if you’ve been reading Hashed Out for the past year this news comes as no surprise to you. But, procrastination being a very human trait, there are still millions of websites, some quite large, that have yet to address this issue.
Of course, if you’re just learning about this we would be happy to catch you up.
Why do I need SSL now?
The short answer is that the web browsers are beginning to require it as a basic standard. The internet, as we know it, is built on HTTP or Hypertext Transfer Protocol. And while HTTP has performed admirably over the past two decades, it has one glaring flaw: it’s not secure. Any information transmitted via an HTTP connection is out in the open. When I say that, I mean that it’s easy to eavesdrop on the connection. From there you can steal information, or position yourself between the user and the server, allowing you to perform what is called a Man-in-the-Middle attack.
When you install an SSL certificate, you can begin using HTTPS instead of HTTP. HTTPS is the secured version of HTTP. It uses encryption to both authenticate the server and to protect any information being transmitted. You can understand why the browsers would want this to be standard, after all, information security is more important than ever these days.
Why do the browsers get to decide?
There’s a couple of parts of this question to hash out. First of all the browsers are in a position, somewhat literally, that allows them to dictate their terms. Answer me this, do you know how to use the internet without either a desktop or mobile browser? I’m going to go out on a limb here and say that the answer is no. People need browsers to surf the internet, and businesses need browsers to display their websites properly when people decide to visit them. If the browsers tell websites, “do this or we’re going to penalize you” – there’s going to be quite a bit of incentive to comply. The browsers have quite a bit of power.
Having said that, the browsers didn’t necessarily “decide,” per se. That sounds a little too ominous. They’re acting in the interest of their users and there’s a certain utility to that, which is worth commending. Secure connections mean greater user safety which, in turn, creates a safer internet.
What if I don’t need SSL?
You’re thinking about it wrong, then. At this point, it’s not about who does and doesn’t need SSL. At this point, it’s about the fact that the browsers want to shift the internet to HTTPS. Beyond the simple fact that secure connections are safer, there’s a technical reason for wanting to make this shift, too.
HTTP/2 is the successor to HTTP. It’s faster, it performs better and its daddy could beat up HTTP’s daddy. It also requires secure connections. HTTP/2 rollout out has been gradual thus far, but eventually, it’s the standard the internet wants to adopt universally. So requiring SSL also helps to facilitate the shift to HTTP/2 as well.
How Does SSL Work?
I’m going to give you the abridged version, an SSL certificate is basically a piece of software that you install on a server that allows you to both authenticate said server and enforce secure connections with it. You start by acquiring the SSL certificate you’d like to use on your website, installing it on your server and then configuring your domain so that it points to HTTPS addresses instead of HTTP ones. Once it’s live, and visitors begin arriving at your website, they will be sent a copy of the certificate itself, as well as a public key when they first connect. The user’s browser and the server then use the certificate and its underlying Public Key Infrastructure to authenticate the server (ensuring that it is the rightful owner of the certificate) before exchanging symmetric session keys and forming an encrypted connection.
Got it? Good.
We’ve been saying this all year, but it doesn’t hurt to hear it one last time: YOU NEED TO GET SSL.
It’s not optional anymore. It’s not just a product for big websites. Or just for banks and e-commerce. EVERYONE needs SSL in 2018.
So don’t wait until the last minute! Handle it now.